1. 技术文章
  2. IAM policy to allow access to DynamoDB console for specific tables

IAM policy to allow access to DynamoDB console for specific tables

别说谁变了你拦得住时间么 提交于 2020-06-12 04:30:19

问题


Is it possible to create an AWS IAM policy that provides access to the DynamoDB console only for specific tables? I have tried:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt0000000001",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                <other actions>
            ], 
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:<region>:<account>:table/FooTable",
                "arn:aws:dynamodb:<region>:<account>:table/BarTable"
            ]
        }
    ]
}

but for a user with this policy attached, the DynamoDB tables list says "Not Authorized" (as it does when no policy is attached).

Setting "Resource" to "*" and adding a new statement like below lets the user perform < other actions > on FooTable and BarTable, but they can also see all other tables in the tables list.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt0000000001",
            "Action": [
                <other actions>
            ], 
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:<region>:<account>:table/FooTable",
                "arn:aws:dynamodb:<region>:<account>:table/BarTable"
            ]
        },
        {
            "Sid": "Stmt0000000002",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:ListTables"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

回答1:


Sorry for the bad news, but the AWS Management Console requires both DescribeTable and ListTables permissions against the whole of DynamoDB in order to operate correctly.

However, there is a small workaround... You can give Console users a URL that takes them directly to the table, and operates fine for viewing and adding items, etc.

Just copy the URL from a user that has correct permissions, eg:

https://REGION.console.aws.amazon.com/dynamodb/home?region=REGION#explore:name=TABLE-NAME



回答2:


I found that apart from DynamoDB, users need to have wildcard permissions for CloudWatch and SNS. See here: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html (topic: "Example 5: Set Up Permissions Policies for Separate Test and Production Environments").

You may add AmazonDynamoDBReadOnlyAccess predefined policy to yours.



来源:https://stackoverflow.com/questions/30407179/iam-policy-to-allow-access-to-dynamodb-console-for-specific-tables

标签
amazon-dynamodb
amazon-iam
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!